Ordinary cryptographic primitives lack resilience to device compromise, in that an adversary that learns the secret key for a device such as a client or server can cryptographically impersonate the device without detection.
In conventional authentication systems, such issues may be addressed in the server context through the use of distributed cryptography arrangements. For example, in a typical distributed cryptography arrangement, a secret key is stored in a distributed manner across multiple servers instead of being stored in its entirety on a single server, as a basic defense against compromise of the single server. Efficient distributed cryptographic protocols are known for use in these and other settings, including protocols for operations such as digital signing, key generation, encryption and decryption.
Most of these known distributed cryptographic protocols rely on homomorphic properties inherent in public-key cryptographic primitives, which generally allow partial operations executed with individual key shares to be combined to achieve an operation with a complete secret key.
Nonetheless, deficiencies remain in current practice. For example, although the distributed cryptography arrangements described above can protect against adversarial compromise of a single server, a secret key stored in the client still remains vulnerable to compromise.